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Abstract. Reasoning semantically in first-order logic is notoriously a 
challenge. This paper surveys a selection of semantically-gmded or model- 
based methods that aim at meeting aspects of this challenge. For first- 
order logic we touch upon resolution-based methods, tableaux-based me¬ 
thods, DPLL-inspired methods, and we give a preview of a new method 
called SGGS, for Semantically-Guided Goal-Sensitive reasoning. For first- 
order theories we highlight hierarchical and locality-based methods, con¬ 
cluding with the recent Model-Constructing satisfiability calculus. 


1 Introduction 

Traditionally, automated reasoning has centered on proofs rather than models. 
However, models are useful for applications, intuitive for users, and the notion 
that semantic guidance would help proof search is almost as old as theorem 
proving itself. In recent years there has been a surge of model-based first-order 
reasoning methods, inspired in part by the success of model-based solvers for 
propositional satisfiability (SAT) and satisfiability modulo theories (SMT). 

The core procedure of these solvers is the conflict-driven clause learning 
(CDCL) version |52l62l88l60j of the Davis-Putnam-Logemann-Loveland (DPLL) 
procedure for propositional logic [32]. The original Davis-Putnam (DP) proce¬ 
dure [33] was proposed for first-order logic, and featured propositional, or ground, 
resolution. The DPLL procedure replaced propositional resolution with splitting, 
initially viewed as breaking disjunctions apart by case analysis, to avoid the 
growth of clauses and the non-determinism of resolution. Later, splitting was 
understood as guessing, or deciding, the truth value of a propositional variable, 
in order to search for a model of the given set of clauses. This led to read DPLL 
as a model-based procedure, where all operations are centered around a candidate 
partial model, called context, represented by a sequence, or trail, of literals. 

DPLL-CDCL brought back propositional resolution as a mechanism to gen¬ 
erate lemmas, and achieve a better balance between guessing and reasoning. The 
model-based character of the procedure became even more pronounced: when the 




current candidate model falsifies a clause, this conflict is explained by a heuristi- 
cally controlled series of resolution steps, a resolvent is added as lemma, and the 
candidate partial model is repaired in such a way to remove the conflict, satisfy 
the lemma, and backjump as far away as possible from the conflict. SMT-solvers 
integrate in DPLL-CDCL a decision procedure for satisfiability in a theory or 
combination of theories T: the T-satisfiability procedure raises a T -conflict when 
the candidate partial model is not consistent with T, and generates T-lemmas 
to add theory reasoning to the inference component [TEH. 

While SAT and SMT-solvers offer fast decision procedures, they typically 
apply to sets of propositional or ground clauses, without quantifiers. Indeed, 
decidability of the problem and termination of the procedure descend from the 
fact that the underlying language is the finite set of the input atoms. 

ATP (Automated Theorem Proving) systems offer theorem-proving strate¬ 
gies that are designed for the far more expressive language of first-order logic, 
but are only semi-decision procedures for validity, as the underlying language, 
and search space, are infinite. This trade-off between expressivity and decidabil¬ 
ity is ubiquitous in logic and artificial intelligence. First-order satisfiability is 
not even semi-decidable, which means that first-order model-building cannot be 
mechanized in general. Nevertheless, there exist first-order reasoning methods 
that are semantically-guided by a fixed interpretation, and even model-based, in 
the sense that the state of a derivation contains a representation of a candidate 
partial model that evolves with the derivation. 

In this survey, we illustrate a necessarily incomplete selection of such methods 
for first-order logic (Section [2]) or first-order theories (Section In each section 
the treatment approximately goes from syntactic or axiomatic approaches to¬ 
wards more semantic ones, also showing connections with Jose Meseguer’s work. 
All methods are described in expository style, and the interested reader may 
find the technical details in the references. Background material is available in 
previous surveys, such as |fi7lfi8ll8lhy|fi!7| for theorem-proving strategies, m 
for decision procedures based on theorem-proving strategies or their integration 
with SMT-solvers, and books such as |70II7l7fi| . 

2 Model-based Reasoning in First-Order Logic 

In this section we cover semantic resolution, which represents the early attempts 
at injecting semantics in resolution; hypertableaux, which illustrates model-based 
reasoning in tableaux, with applications to fault diagnosis and description logics; 
the model-evolution calculus, which lifts DPLL to first-order logic, and a new 
method called SGGS, for Semantically-Guided Goal-Sensitive reasoning, which 
realizes a first-order CDCL mechanism. 


2.1 Semantic Resolution 

Soon after the seminal article by Alan Robinson introducing the resolution prin¬ 
ciple US], James R. Slagle presented semantic resolution in m- Let S be the 
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finite set of first-order clauses to be refuted. Slagle’s core idea was to use a given 
Herbrand interpretation / to avoid generating resolvents that are true in /, since 
expanding a consistent set should not lead to a refutation. The following example 
from m illustrates the concept in propositional logic: 

Example 1 . Given S = {^AiM^A2\/ A1VA3, A2WA^}, let I he all-negative, 
that is, I = {-lAi, -1^2, -'^3}. Resolution between -^Ai V -1^2 V ^3 and Ai V A3 
generates -i>l2 VA3, after merging identical literals. Similarly, resolution between 
-lAi V -1^2 V A3 and A2 V A3 generates -'Ai V A3. However, these two resolvents 
are true in I. Semantic resolution prevents generating such resolvents, and uses 
all three clauses to generate only A3, which is false in I. 

Formally, say that we have a clause N, called nucleus, and clauses Ei,..., Eg, 
with q > 1 , called electrons, such that the electrons are false in I. Then, if there 
is a series of clauses Ri, R2 ,..., Rq, Rq+i, where Ri is N, Ri+i is a resolvent of 
Ri and Ei, for i = 1 ,... ,q, and Rq+i is false in I, semantic resolution generates 
only Rq+i- The intuition is that electrons are used to resolve away literals in the 
nucleus until a clause false in I is generated. 

Example 2 . In the above example, ->Ai V -'A2 V A3 is the nucleus N, and Ai V A3 
and A2\/A3 are the electrons Ex and E2, respectively. Resolving N and Ei gives 
-1H2 V A3, and resolving the latter with E2 yields H3: only A3 is retained, while 
the intermediate resolvent -1^2 V A3 is not. 

Semantic resolution can be further restricted by assuming a precedence > on 
predicate symbols, and stipulating that in each electron the predicate symbol 
of the literal resolved upon must be maximal in the precedence. The following 
example also from | 31 ] is in first-order logic: 

Example 3 . Tors' = {Q{x)\/Q{a)\/^R{y)\/^R{h)\/S{c), -^Q{z)\/^Q{a), R{h)\/ 
S(c)}, let / be {Q{a),Q{h),Q{c),^R{a),^R{h),^R{c),^S{a),^S{b),^S{c)}, so 
that I ^ ^Q(z)y^Q\a) and I ^ R{b)\/S(c). Assume the precedence Q > R > S. 
Thus, Q{x) V Q{a) V -^R{y) V “'R(&) V S(c) is the nucleus N, and -^Q(z) V -'( 5 (a) 
and R{b) V S(c) are the electrons Ex and E2, respectively. Resolution between 
N and Ex on the ( 5 -literals produces ^R{y) V ~^R{b) V S(c), which is not false 
in I, and therefore it is not kept. Note that this resolution step is a binary 
resolution step between a factor of N and a factor of Ex- Resolution between 
-'R(?/)V-'!?(&) VS(c) and E2 on the R-literals yields S(c). This second resolution 
step is a binary resolution between a factor of ^R{y) V ^R{b) V S{c) and £2- 
Resolvent S{c) is false in I and it is kept. 

In these examples I is given by a finite set of literals: Example [ 1 ] is propo¬ 
sitional, and in Example [ 3 ] the Herbrand base is finite, because there are no 
function symbols. The examples in | 79 ] include a theorem from algebra, where 
the interpretation is given by a multiplication table and hence is really of se¬ 
mantic nature. The crux of semantic resolution is the representation of I. In 
theory, a Herbrand interpretation is given by a subset of the Herbrand base of 
S. In practice, one needs a finite representation of I, which is a non-trivial issue. 
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whenever the Herbrand base is not finite, or a mechanism to test the truth of a 
literal in I. Two instances of semantic resolution that aimed at addressing this 
issue are hyperresolution m and the set-of-support strategy [ 55 ] , 

Hyperresolution assumes that I contains either all negative literals or all 
positive literals. In the first case, it is called positive hyperresolution, because 
electrons and all resolvents are positive clauses: positive electrons are used to 
resolve away all negative literals in the nucleus to get a positive hyperresolvent. 
In the second case, it is called negative hyperresolution, because electrons and 
all resolvents are negative clauses: negative electrons are used to resolve away 
all positive literals in the nucleus to get a negative hyperresolvent. Example [T] is 
an instance of positive hyperresolution. 

The set-of-support strategy assumes that S' = T ttJ SOS, where SOS (for 
Set of Support) contains initially the clauses coming from the negation of the 
conjecture, and T = S \ SOS is consistent, for some I such that I \= T and 
I ^ SOS. A resolution of two clauses is permitted, if at least one is from SOS, 
in order to avoid expanding the consistent set T. All resolvents are added to 
SOS. Thus, all inferences involve clauses descending from the negation of the 
conjecture: a method with this property is deemed goal-sensitive. 

In terms of implementation, positive hyperresolution is often implemented in 
contemporary theorem provers by resolution with selection of negative literals. 
Indeed, resolution can be restricted by a selection function that selects negative 
literals [ 4 ]. A clause can have all, some, or none of its negative literals selected, 
depending on the selection function. In resolution with negative selection, the 
negative literal resolved upon must be selected, and the other parent must not 
contain selected literals. If some negative literal is selected for each clause con¬ 
taining one, one parent in each resolution inference will be a positive clause, that 
is, an electron for positive hyperresolution. Thus, a selection function that selects 
some negative literal in each clause containing one induces resolution to simulate 
hyperresolution as a macro inference involving several steps of resolution. 

The set-of-support strategy is available in all theorem provers that feature the 
given-clause loop EH, which is a de facto standard for resolution-based provers. 
This algorithm maintains two lists of clauses, named to-be-selected and already- 
selected, and at each iteration it extracts a given clause from to-be-selected. In its 
simplest version, with only resolution as inference rule, it performs all resolutions 
between the given clause and the clauses in already-selected] adds all resolvents 
to to-be-selected] and adds the given clause to already-selected. If one initializes 
these lists by putting the clauses in T in already-selected, and the clauses in SOS 
in to-be-selected, this algorithm implements the set-of-support strategy. Indeed, 
in the original version of the given-clause algorithm, to-be-selected was called 
SOS, and already-selected was called Usable. 

State-of-the-art resolution-based theorem provers implement more sophisti¬ 
cated versions of the given clause algorithm, which also accomodate contraction 
rules, that delete (e.g., subsumption, tautology deletion) or simplify clauses (e.g., 
clausal simplification, eguational simplification). The compatibility of contrac¬ 
tion rules with semantic strategies is not obvious, as shown by the following: 
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Example 4 - Let T = {-'P, P V Q} and SOS = {^Q}- Clausal simplification, 
which is a combination of resolution and subsumption, applies ->Q to simplify 
PV Q to P. If the result is T = {“'P, P} and SOS = {“'< 5 }, the consistent set T 
becomes inconsistent, and the refutational completeness of resolution with set-of- 
support collapses, since the set-of-support strategy does not allow us to resolve 
P and -iP, being both in T. The correct application of clausal simplification 
yields T = {-'P} and SOS = {-'Q, P}, so that the refutation can be found. 

In other words, if a clause in SOS simplifies a clause, whether in T or in 
SOS, the resulting clause must be added to SOS. The integration of contraction 
rules and other enhancements, such as lemmaizing, in semantic strategies was 
investigated in general in 

Semantic resolution, hyperresolution, and the set-of-support strategy exhibit 
semantic guidance. We deem a method semantically guided, if it employs a fixed 
interpretation to drive the inferences. We deem a method model-based, if it builds 
and transforms a candidate model, and uses it to drive the inferences. 

A beginning of the evolution from being semantically guided to being model- 
based can be traced back to the SCOTT system [SD], which combined the finite 
model finder FINDER, that searches for small models, and the resolution-based 
theorem prover OTTER m- As the authors write “SCOTT brings semantic 
information gleaned from the proof attempt into the service of the syntax-based 
theorem prover.” In SCOTT, FINDER provides OTTER with a guide model, 
which is used for an extended set-of-support strategy: in each resolution step at 
least one of the parent clauses must be false in the guide model. During the proof 
search EINDER updates periodically its model to make more clauses true. Thus, 
inferences are controlled as in the set-of-support strategy, but the guide model 
is not fixed, which is why SCOTT can be seen as a forerunner of model-based 
methods. Research on the cooperation between theorem prover and finite model 
finder continued with successors of OTTER, such as Prover 9 , and successors of 
FINDER, such as MACE 4 [ 87 ] . This line of research has been especially fruitful 
in applications to mathematics (e.g., [ 3138 ]). 

2.2 Hypertableaux 

Tableau calculi offer an alternative to resolution and they have been discussed 
abundantly in the literature (e.g., Chapter 3 in [ 7 S]). Their advantages include no 
need for a clause normal form, a single proof object, and an easy extendability to 
other logics. The disadvantage, even in the case of clause normal form tableaux, 
is that variables are rigid, which means that substitutions have to be applied to 
all occurrences of a variable within the entire tableau. The hypertableau calculus 
[To] offers a more liberal treatment of variables, and borrows the concept of 
hyperinference from positive hyperresolution. 

In this section, we adopt a Prolog-like notation for clauses: Ai V ... V Am V 
-iRi V ... V ^Bn is written Ai, ..., Am ^ Bi, ..., Bn, where Ai, ..., Am form 
the head of the clause and are called head literals, and Bi, ..., Bn form the body. 
There are two rules for constructing a hypertableau (cf. [ 10 ]): the initialization 
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rule gives a tableau consisting of a single node labeled with T; this one-element 
branch is open. The hyperextension rule selects an open branch and a clause 
Ai,..., Am ^ Bi,. ■ ■, Bn, where m,n > 0, from the given set S, such that 
there exists a most general unifier a which makes all the Bia's follow logically 
from the model given by the branch. If there is a variable in the clause that has 
an occurrence in more than one head literal a purifying substitution tt is used 
to ground this variable. Then the branch is extended by new nodes labeled with 
A^an,... ,AmO"K. A branch is closed if it can be extended by a clause without 
head literals. S is unsatisfiable if and only if there is a hypertableau for S whose 
branches are all closed. 

Two major advantages of hyperextension are that it avoids unnecessary 
branching, and only variables in the clauses are universally quantified and get 
instantiated, while variables in the branches are treated as free variables (except 
those occurring in different head literals). The latter feature allows a superposi¬ 
tion-like handling of equality m, while the former is relevant for hypertableaux 
for description logic |78| . which we shall return to in the next section. Hyper¬ 
tableaux were implemented in the Hyper theorem prover for first-order logic, 
followed by E-Hyper implementing also the handling of equality. 


Example 5. An example refutation is given in Figure [T] The initial tableau is 
set up with the only positive clause. Extension at R{a) with the second clause 
uses CT = {x ■(— a}: since y appears only once in the resulting head, tt = e 
and y remains as a free variable. In the right subtree R{f{z)) is extended with 
the second clause and cr = {x ■<— f{z)}. In the head P{f{z)),Q{f{z),y) of 
the resulting clause z is repeated: an instance generation mechanism produces 
TT = {x ■(— b}, or the instance P{f{b)), Q{f{h),y) <t= R{f{h)), to find a refutation. 
Note how the tableau contains by construction only positive literals, and the 
interpretation given by a branch is used to control the extension steps very 
much like in hyperresolution. 


P{a) 

T 



Q{a,y) 


P{a) 

T 



Rifiz)) 


Pifib)) 

T 


Q{m,y) 

I 

Pifib)) 


R{a),R{f{z)) <= 
P{x),Q{x,y) <= R{x) 

P{x) <= Q{x,y) 
^Pia) 

<= Pifib)) 


Fig. 1. A sample hypertableaux refutation with the clause set on the right. 
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2.3 Model-based Transformation of Clause Sets 


Hypertableaux use partial models, that is, models for parts of a clause set, to 
control the search space. An open branch that cannot be expanded further rep¬ 
resents a model for the entire clause set. In this section we present a transforma¬ 
tion method, borrowed from model-based diagnosis and presented in [5], which 
is based on a given model and therefore can be installed on top of hypertableaux. 
In applications to diagnosis, one has a set of clauses S which corresponds to a 
description of a system, such as an electrical circuit. Very often there is a model 
/ of a correctly functioning system available; in case of an electrical circuit it 
may be provided by the design tool itself. If the actual circuit is fed with an 
input and does not show the expected output, the task is to find a diagnosis, or 
those parts of the circuit which may be broken. Instead of doing reasoning with 
the system description S and its input and output in order to find the erroneous 
parts, the idea is to compute only deviations from the initially given model /. 

Assume that S' is a set of propositional clauses and I a set of propositional 
atoms; as a very simple example take 

S = {B C ■^A,B} and I = {A}. 

Each clause in S is transformed by replacing a positive literal L by -<neg_L and 
a negative literal ->L by neg^L, if L is contained in I. In other words, a literal 
which is contained in the initial model moves to the other side of the arrow and 
is renamed with the prefix neg- as in 

= {H <^=, C, neg^A B}. 

This transformation is model-preserving, as every model of S' is a model of 
S'. For this it suffices to assign true to neg-L if and only if L is false, for every 
L £ I, and keep truth values unchanged for atoms outside of I. This property 
is independent of I, and it holds even if I is not a model of S. In our example, 
after initialization, first hyperextension with B and then hyperextension with 
C, neg-A ^ B, yield the open branches {B, C} and {B, neg-A}. Hyperextension 
with (7, neg-A <;= B can be applied because only B occurs in the body. Since A 
is assumed to be true in I, it can be added: adding A to {B, (7} yields model 
{A, B, (7}; adding A to {B, neg_A} yields model {B}. If deriving A in S' is very 
expensive, it pays off to save this derivation by moving A as neg-A to the body 
of the clause. In this example a Horn clause becomes non-Horn, introducing the 
case where A is false, and neg-A holds, although A is in I. Symmetrically, a 
non-Horn clause may become Horn. This transformation technique enabled a 
hypertableau prover to compute benchmarks from electrical engineering [8] , and 
was also applied to the view update problem in databases [2]. 

Although this transformation mechanism only works in the propositional 
case, it can be extended to description logic [31]. Indeed, most description logic 
reasoners are based on tableau calculi, and a hypertableau calculus was used 
in m as a basis for an efficient reasoner for the description logic SHIQ. For 
this purpose, the authors define DL-clauses as clauses without occurrences of 
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function symbols, and such that the head is allowed to include disjunctions of 
atoms, which may contain existential role restrictions as in 

3repairs.Car(x) Mechanic{x). 

In other words, a given 5HIQ-Tbox is translated to a large extent into first- 
order logic; only existential role restrictions are kept as positive “literals.” Given 
a Tbox in the form of a set of DL-clauses, if we have in addition an Abox, or 
a set of ground assertions, we can use the interpretation given by the ABox as 
initial model for the model-based transformation [35] • On this basis, the already 
mentioned E-Hyper reasoner was modified to become E-KRHyper, which was 
shown to be a decision procedure for SHXQ in m- 

2.4 The Model Evolution Calculus 

The practical success of DPLL-based SAT solvers suggested the goal of lifting 
features of DPLL to the first-order level. Research focused on splitting first-order 
clauses, seen as a way to improve the capability to handle non-Horn clauses. 
Breaking first-order clauses apart is not as simple as in propositional logic, be¬ 
cause a clause stands for all its ground instances, and literals share variables 
that are implicitly universally quantified. Decomposing disjunction is a native 
feature in tableaux, whose downside is represented by rigid variables, as already 
discussed in Section r2.2l where we saw how hypertableaux offer a possible answer. 

The quest for ways to split efficiently clauses such as A{x) V B{x) led to 
the model evolution calculus [Sj. In this method splitting A{x) V B{x) yields a 
branch with A{x), meaning yxA{x), and one with —>A{c), the Skolemized form 
of -NxA{x) = 3x^A{x). Splitting in this way has the disadvantage that the 
signature changes, and Skolem constants, being new, do not unify with other 
non-variable terms. Thus, the model evolution calculus employs parameters, in 
place of Skolem constants, to replace existentially quantified variables. These 
parameters are similar to the free variables of hypertableaux. 

The similarity between the model evolution calculus and DPLL goes beyond 
splitting, as the model evolution calculus aims at being a faithful lifting of DPLL 
to first-order logic. Indeed, a central feature of the model evolution calculus is 
that it maintains a context A, which is a finite set of literals, representing a 
Her brand interpretation lyi, seen as a candidate partial model of the input set 
of clauses S. Thus, the model evolution calculus is a model-based first-order 
method. Literals in A may contain variables, implicitly universally quantified as 
in clauses, and parameters. Clauses are written in the form A h C, so that each 
clause carries the context with itself. 

In order to determine whether I a ]= L, for L an atom in the Herbrand base 
of S, one looks at the most specific literal in A that subsumes L; in case of 
a tie, L is picked with positive sign. If Ia is not a model of S, the inference 
system unifies input clauses against A to find instances that are not true in Ia- 
these instances are subject to splitting, to modify A and repair I a- Otherwise, 
the system recognizes that A cannot be hxed and declares S unsatisfiable. As 


DPLL uses depth-first search with backtracking, the model evolution calculus 
uses depth-first search with backtracking and iterative deepening on term depth, 
which however may skew the search towards big proofs with small term depth. 
The model evolution calculus was implemented in the Darwin prover [^, and 
extended to handle equality on its own [12] and with superposition [T4] . 

2.5 SGGS: Semantically-Guided Goal-Sensitive Reasoning 

SGGS, for Semantically-Guided Goal-Sensitive reasoning, is a new theorem¬ 
proving method for first-order logic [29I26I28I27] . which inherits features from 
several of the strategies that we surveyed in the previous sections. SGGS is 
semantically guided by a fixed initial interpretation I like semantic resolution; 
and it is goal-sensitive like the set-of-support strategy. With hyperresolution and 
hypertableaux, it shares the concept of hyperinference, although the hyperinfer¬ 
ence in SGGS, as we shall see, is an instance generation inference, and therefore 
its closest ancestor is hyperlinking [Sin], an inference rule that uses the most 
general unifier of a hyperresolution step to generate instances of the parents, 
rather than a hyperresolvent. 

Most importantly, SGGS is model-based at the first-order level, in the sense of 
working by representing and transforming a candidate partial model of the given 
set S of first-order clauses. This fundamental characteristic is in common with 
the model evolution calculus, but while the latter lifts DPLL, SGGS lifts DPLL- 
GDCL to first-order logic, and it combines the model-based character with the 
semantic guidance and the goal sensitivity. Indeed, SGGS was motivated by the 
quest for a method that is simultaneously first-order, model-based, semantically- 
guided, and goal-sensitive. Furthermore, SGGS is proof confluent, which means 
it does not need backtracking, and it does not necessarily reduce to either DPLL 
or DPLL-GDCL, if given a propositional problem. 

In DPLL-GDCL, if a literal L appears in the trail that represents the can¬ 
didate partial model, all occurrences of -'L in the set of clauses are false. If all 
literals of a clause C are false, C is in conflict, if all literals of C except one, 
say Q, are false, Q is an implied literal with C as justification. The status of C 
depends on the decision levels where the complements of its literals were either 
guessed (decision) or implied (Boolean propagation). SGGS generalizes these 
concepts to first-order logic. Since variables in first-order literals are implicitly 
universally quantified, if L is true, ->L is false, but if L is false, we only know that 
a ground instance of -<L is true. SGGS restores the symmetry by introducing 
the notion of uniform falsity: L is uniformly false, if all its ground instances are 
false, or, equivalently, if -iL is true. A first role of the given interpretation I is to 
provide a reference model where to evaluate the truth value of literals: a literal 
is I-true, if it is true in I, and I-false, if it is uniformly false in I. 

An SGGS clause sequence T is a sequence of clauses, where every literal is 
either /-true or /-false, so that it tells the truth value in I of all its ground 
instances. In every clause C in T a literal is selected: if G = Li V ... V and 
Ln is selected, we write the clause as Li V ... V [L„], or, more compactly, C[Ln], 
with a slight abuse of the notation. SGGS tries to modify / into a model of S 
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(if / is a model of S the problem is solved). Thus, /-false literals are preferred 
for selection, and an /-true literal is selected only in a clause whose literals are 
all /-true, called I-all-true clause. A second role of the given interpretation I is 
to provide a starting point for the search of a model for S. 

An SGGS clause sequence F represents a partial interpretation IP{r): if F 
is the empty sequence, denoted by £, IP{F) is empty; if F is C'i[Li],..., Ci[Li], 
and IP{F\i-i) is the partial interpretation represented by C'i[Li],..., Ci-i [Ti-i], 
then IP{F) is /P(/^|i_i) plus the ground instances Lia of Li, such that Cta is 
ground, Cta is not satisfied by /P(/^|i_i), and ^Lia is not in /P(/^|i_i), so that 
Lia can be added to satisfy Cia. In other words, each clause adds the ground 
instances of its selected literal that satisfy ground instances of the clause not 
satisfied thus far. 

An interpretation /[A] is obtained by consulting first IP{F), and then /: for 
a ground literal L, if its atom appears in IP{F), its truth value in I[F] is that in 
IP{F); otherwise, it is that in I. Thus, I[F] is / modified to satisfy the clauses in 
F by satisfying the selected literals, and since /-true selected literals are already 
true in /, the /-false selected literals are those that matter. For example, if F 
is [Fix)], -^P{fiy)) V [Qiy)], -^Pifiz)) V ^Qigiz)) V [R{fiz),g{z))], and I is 
all negative like in positive hyperresolution, /[T'] satisfies all ground instances of 
P{x), Q{y), and R{f{z),g{z)), and no other positive literal. 

SGGS generalizes Boolean, or clausal, propagation to first-order logic. Gon- 
sider an /-false (/-true) literal M selected in clause Cj in F, and an /-true 
(/-false) literal L in i > j: if all ground instances of L appear negated among 
the ground instances of M added to IP{F), L is uniformly false in I[F] because 
of M, and depends on M, like ->L depends on L in propositional Boolean prop¬ 
agation, when L is in the trail. If this happens for all its literals, clause C\L\ is 
in conflict with /[T]; if this happens for all its literals except L, L is an implied 
literal with C[L] as justification. SGGS employs assignment functions to keep 
track of the dependencies of /-true literals on selected /-false literals, realizing 
a sort of first-order propagation modulo semantic guidance by /. SGGS ensures 
that /-all-true clauses in F are either conflict clauses or justifications. 

The main inference rule of SGGS, called SGGS-extension, uses the current 
clause sequence F and a clause G in S' to generate an instance E oiC and add it 
to F to obtain the next clause sequence F'. SGGS-extension is a hyperinference, 
because it unifies literals Li,..., Ln oiC with /-false selected literals Mi, ..., Mn 
of opposite sign in F. The hyperinference is guided by /[G], because /-false 
selected literals contribute to /[G] as explained above. Another ingredient of the 
instance generation mechanism ensures that every literal in E is either /-true or 
/-false. SGGS-extension is also responsible for selecting a literal in E. 

The lifting theorem for SGGS-extension shows that if /[G] ^ G' for some 
ground instance G' of a clause G G S', SGGS-extension builds an instance E of 
G such that G' is an instance of E. There are three kinds of SGGS-extension: 
(I) add a clause E which is in conflict with I[F] and is /-all-true; (2) add a 
clause E which is in conflict with I[F] but is not Gall-true; and (3) add a clause 
E which is not in conflict with I[F]. In cases (I) and (2), it is necessary to solve 
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the conflict: it is here that SGGS lifts the conflict-driven clause learning (GDCL) 
mechanism of DPLL-GDCL to the first-order level. 

In DPLL-GDGL a conflict is explained by resolving a conflict clause C with 
the justification Z? of a literal whose complement is in C, generating a new con¬ 
flict clause. Typically resolution continues until we get either the empty clause 
_L or an asserting clause, namely a clause where only one literal Q is falsified 
in the current decision level. DPLL-GDGL learns the asserting clause and back- 
jumps to the shallowest level where Q is undefined and all other literals in the 
asserting clause are false, so that Q enters the trail with the asserting clause as 
justification. SGGS explains a conflict by resolving the conflict clause E with an 
/-all-true clause D[M] in E which is the justihcation of the literal M that makes 
an /-false literal L in E uniformly false in I[r]. Resolution continues until we 
get either _L or a conflict clause E[L] which is /-all-true. If _L arises, S is un- 
satisfiable. Otherwise, SGGS moves the /-all-true clause E[L] to the left of the 
clause B[M], whose /-false selected literal M makes L uniformly false in I[r]. 
The effect is to flip at once the truth value of all ground instances of L in /[/^], 
so that the conflict is solved, L is implied, and E[L] satisfied. 

In order to simplify the presentation, up to here we omitted that clauses 
in SGGS may have constraints. For example, x ^ y \> P{x,y) V Q{y,x) is a 
constrained clause, which represents its ground instances that satisfy the con¬ 
straints: P{a, b) \/Q(h, a) is an instance, while P(a, a) VQ(a, a) is not. The reason 
for constraints is that selected literals of clauses in P may intersect, in the sense 
of having ground instances with the same atoms. Since selected literals deter¬ 
mine E{P), whence I[P], non-empty intersections represent duplications, if the 
literals have the same sign, and contradictions, otherwise. SGGS removes dupli¬ 
cations by deletion of clauses, and contradictions by resolution. However, before 
doing either, it needs to isolate the shared ground instances in the selected lit¬ 
eral of one clause. For this purpose, SGGS features inference rules that replace 
a clause by a partition, that is, a set of clauses that represent the same ground 
instances and have disjoint selected literals. This requires constraints. For exam¬ 
ple, a partition of [P(x, j/)] V(3(x, j/) is {true\>[P{f{z),y)]VQ{f{z),y), top{x) ^ 
f O [P{x,y)] V Q{x,y)}, where the constraint top{x) ^ f means that variable 
X cannot be instantiated with a term whose topmost symbol is /. If L and M 
in C[L] and D[M] of P intersect, SGGS partitions C[L] by D[M]: it partitions 
C[L\ into Ai O C'i[Li],..., O CflLn] so that only Lj, for some j, 1 < j < n, 
intersects with M, and Aj O Cj[Lj] is either deleted or resolved with D[M]. 

The following example shows an SGGS-refutation: 

Example 6. Given S = {-iP(/(x)) V ~^Q{g{x)) V R{x), P{x), Q{y), -'P(c)}, let 
I be all negative. An SGGS-derivation starts with the empty sequence. Then, 
four SGGS-extension steps apply: 


Po- 

£ 





Pi: 

[P(x)] 





P2: 


m)] 




P3: 


[Qiy)], 

-^Pifix)) V 

-^Qigix)) V 

[R{x)] 

P4: 

[P{x)], 

[Qiy)], 

-P(/(a;)) V 

^Qig{x)) V 

[R{x)], [-'P(c)] 
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At this stage, the selected literals R{x) and intersect, and therefore SGGS 

partitions -^P{f{x)) V -^Q{g{x)) V [i?(a:)] by [-'i?(c)]: 

Tg: [P{x)], [Q{y)], X ^c[> ^P{f(x))W ^Q{g(x))\/[R(x)], 
-P(/(c))V-Q(ff(c))V[i?(c)], hi?(c)] 

Now the /-all-true clause ~‘R{c) is in conflict with /[/g]. Thus, SGGS moves it left 
of the clause -•P{f{c))V^Q{g{c))V[R{c)] that makes ^R{c) false in /[-Tg], in order 
to amend the induced interpretation. Then, it resolves these two clauses, and 
replaces the parent that is not /-all-true, namely -•P{f{c)) V ^Q{g{c)) V [i?(c)], 
by the resolvent -^P{f{c)) V -^Q{g{c))\ 

Pe: [P(a;)], [Q{y)], x ^ c> ^P{f{x)) V ^Q{g{x)) W [R{x)], hi?(c)], 
-P(/(c)) V -Q( 3 (c)) V [P(c)] 

Pt. [P{x)], \Q{y)], X ^ c\> ^P{f{x))V ^Q{g{x))V [R{x)], hP(c)], 
^P(/(c)) V hg(5(c))] 

Assuming that in the resolvent the literal ~^Q{g{c)) gets selected, there is now 
an intersection between selected literals ^Q{g{c)) and Q{y), so that SGGS par¬ 
titions Qiy) by -^P{f{c)) V -^Q{gic)): 

Pg: [P(x)], top{y) ^ g {> [Q{y)], z ^ c> [Q{g{z))], [Q{g{c))], 

X ^ c\> ^P{f{x)) V ^Qig{x)) V [R{x)], h^(c)], -P(/(c)) V hQ(g(c))] 

At this point, the Pall-true clause ^P{f{c)) V [“'^((/(c))] is in conflict with 
/[Pg]. As before, SGGS moves it left of the clause that makes its selected literal 
~^Q(g(c)) false, namely [^(^(c))], in order to fix the candidate model, and then 
resolves ^P{f{c))V[^Q{g{c))] and [g(g(c))], replacing the latter by the resolvent 

Pg: [P(a;)], top{y) g \> [Qiy)], z^c\> [Q{g{z))], -P(/(c)) V hg(g(c))], 

[g(ff(c))], x^o -.P(/(x)) V -^Qigix)) V [P(x)], hP(c)] 

Pio: iP(a;)], topiy) ^ g > [Qiy)], z ^ ct> [Qigiz))\, -P(/(c)) V hQ(g(c))], 
h^(/(c))], x^ct> -P(/(x)) V ^Qigix)) V [P(x)], hP(c)] 

The resolvent has only one literal which gets selected; since [“'P(/(c))] intersects 
with [P(a;)], the next inference partitions [P(a;)] by [-'P(/(c))]: 

Pii: topix) ^ f t>[Pix)], y ^ CO [P(/(y))], [P(/(c))], topiy) ^ g [> [Qiy)], 
z ^ c> [Qigiz))], -P(/(c)) V hg( 5 (c))], hP(/(c))], 

X ^ c o -.P(/(x)) V -^Qigix)) V [P(x)], hP(c)] 

The next step moves the Pall-true clause [“'P(/(c))], which is in conflict with 
/[Pii], to the left of the clause [P(/(c))] that makes [“'P(/(c))] false in /[Pii], 
and then resolves these two clauses to generate the empty clause: 

P12: topix) ^ f \>[Pix)], y^c\>[Pifiy))], hP(/(c))], [P(/(c))], 
topiy) ^gt> [Qiy)], z^c\> [Qigiz))], -P(/(c)) V hg(g(c))], 

X ^ c o -.P(/(x)) V ^Qigix)) V [P(x)], hP(c)] 

P13: topix) ^ f \>[Pix)], y^c\>[Pifiy))], hP(/(c))], T, 

topiy) ^gt> [Qiy)], z^c\> [Qigiz))], -P(/(c)) V hg(g(c))], 

X ^ c o -.P(/(x)) V -'g(g(x)) V [P(x)], hP(c)] 
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This example only illustrates the basic mechanisms of SGGS. This method 
is so new that it has not yet been implemented: the hope is that its conflict- 
driven model-repair mechanism will have on first-order theorem proving an effect 
similar to that of the transition from DPLL to DPLL-GDCL for SAT-solvers. If 
this were true, even in part, the benefit could be momentous, considering that 
GDCL played a key role in the success of SAT technology. Another expectation is 
that non-trivial semantic guidance (i.e., not based on sign like in hyperesolution) 
pays off in case of many axioms or large knowledge bases. 

3 Model-based Reasoning in First-Order Theories 

There are basically two ways one can think about a theory presented by a set of 
axioms: as the set of all theorems that are logical consequences of the axioms, 
or as the set of all interpretations that are models of the axioms. The two are 
obviously connected, but may lead to different styles of reasoning, that we por¬ 
tray by the selection of methods in this section. We cover approaches that build 
axioms into resolution, hierarchical and locality-based theory reasoning, and a 
recent method called Model-Constructing satisfiability calculus or MCsat. 

3.1 Building Theory Axioms into Resolution and Superposition 

The early approaches to theory reasoning emphasized the axioms, by build¬ 
ing them into the inference systems. The first analyzed theory was equality: 
since submitting the equality axioms to resolution, or other inference systems 
for first-order logic, leads to an explosion of the search space, paramodulation, su¬ 
perposition, and rewriting were developed to build equality into resolution (e.g., 
|73I48I77I4I2I1 and Chapters 7 and 9 in US])- 

Once equality was conquered, research flourished on building-in theories (e.g., 
|72ltitil54l49l3til4ni53l3()) l. Equational theories, that are axiomatized by sets of 
equalities, and among them permutative theories, where the two sides of each 
axiom are permutations of the same symbols, as in associativity and commu¬ 
tativity, received the most attention. A main ingredient is to replace syntactic 
unification by unification modulo a set E of equational axioms, a concept gen¬ 
eralized by Jose Meseguer to order-sorted E-unification (e.g., |43I37I46] 1. This 
kind of approach was pursued further, by building into superposition axioms for 
monoids [H], groups [SS], rings and modules [53], or by generalizing superposi¬ 
tion to embed transitive relations other than equality [5] . The complexities and 
limitations of these techniques led to investigate the methods for hierarchical 
theory reasoning that follow. 

3.2 Hierarchical Reasoning by Superposition 

Since Jose Meseguer’s work with Joe Goguen (e.g., lU), it became clear that 
a major issue at the cross-roads of reasoning, specifying, and programming, is 
that theories, or specifications, are built by extension to form hierarchies. A 
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base theory To is defined by a set of sorts Sq, a signature Eq, possibly a set of 
axioms Nq, and the class Co of its models (e.g., term-generated i7o-algebras). An 
extended or enriched theory T adds new sorts (iSo Q S), new function symbols 
(Ao C E), called extension functions, and new axioms {Nq C N), specifying 
properties of the new symbols. For the base theory the class of models is given, 
while the extension is defined axiomatically. A pair (To, T) as above forms a 
hierarchy with enrichment axioms N. 

The crux of extending specifications was popularized by Joe Goguen and 
Jose Meseguer as no junk and no confusion: an interpretation of S and E, which 
is a model of N, is a model of T only if it extends a model in Cq, without 
collapsing its sorts, or making distinct elements equal {no confusion), or intro¬ 
ducing new elements of base sort (no junk). A sufficient condition for the latter 
is sufficient completeness, a property studied also in inductive theorem proving, 
which basically says that every ground non-base term t' of base sort is equal 
to a ground base term t. Sufficient completeness is a strong restriction, violated 
by merely adding a constant symbol: if Eq = {a, 6}, N = Nq = {a if: b}, and 
E = {a,b,c}, where a, b, and c are constants of the same sort, the extension 
is not sufficiently complete, because c is junk, or a model with three distinct 
elements is not isomorphic to one with two. Although sufficient completeness is 
undecidable in general (e.g., [57]), sufficient completeness analyzers exist (e.g., 
|5til45l47] l. with key contributions by Jose Meseguer. 

Hierarchic superposition was introduced in |5] and developed in |41j to reason 
about a hierarchy (To, T) with enrichment axioms N, where is a set of clauses. 
We assume to have a decision procedure to detect that a finite set of Ao-clauses is 
To-unsatisfiable. Given a set S of A-clauses, the problem is to determine whether 
S is false in all models of the hierarchic specification, or, equivalently, whether 
NU S has no model whose reduct to Eq is a model of To. The problem is solved 
by using the To-reasoner as a black-box to take care of the base part, while 
superposition-based inferences apply only to non-base literals^ First, for every 
clause C, whenever a subterm t whose top symbol is a base operator occurs 
immediately below a non-base operator symbol (or vice versa), t is replaced by 
a new variable x and the equation a: ~ t is added to the antecedent of C. This 
transformation is called abstraction. Then, the inference rules are modified to 
require that all substitutions are simple, meaning that they map variables of base 
sort to base terms. A meta-rule named constraint refutation detects that a finite 
set of Ao-clauses is inconsistent in To by invoking the To-reasoner. Hierarchic 
superposition was proved refutationally complete in [6], provided To is compact, 
which is a basic preliminary to make constraint refutation mechanizable, and 
A^ U S' is sufficiently complete with respect to simple instances, which means that 
for every model / of all simple ground instances of the clauses in A^ U S, and 
every ground non-base term t', there exists a ground base term t (which may 
depend on I) such that I \= t' c:it. 


® Other approaches to subdivide work between superposition and an SMT-solver ap¬ 
peared in [20125] . 
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There are situations where the enrichment adds partial functions: Sq con¬ 
tains only total function symbols, while E \ Sq may contain partial functions 
and total functions having as codomain a new sort. Hierarchic superposition was 
generalized to handle both total and partial function symbols, yielding a partial 
hierarchic superposition calculus [41]. To have an idea of the difficulties posed 
by partial functions, consider that replacement of equals by equals may be un¬ 
sound in their presence. For example, s 9 ^ s may hold in a partial algebra (i.e., a 
structure where some function symbols are interpreted as partial), if s is unde¬ 
fined. Thus, the equality resolution rule (e.g., resolution between C V s 9 ^ s and 
a; ~ a;) is restricted to apply only if s is guaranteed to be defined. Other restric¬ 
tions impose that terms replaced by inferences may contain a partial function 
symbol only at the top; substitutions cannot introduce partial function symbols; 
and every ground term made only of total symbols is smaller than any ground 
term containing a partial function symbol in the ordering used by the inference 
system. The following example portrays the partial function case: 

Example 7. Let To be the base theory defined by <So = {data}, Eq = {b: —>■ 
data,/: data data}, and Nq = {Vx f{f{x)) ~ f{x)}. We consider the exten¬ 
sion with a new sort list, total functions {cons: data, list —list, nil: —list,d :—>■ 
list}, partial functions {car : list ^ data,cdr : list —list}, and the following 
clauses, where N = {(1), (2), (3)} and S = {(4), (5)}: 

(1) car(cons(a:, Z))~a: 

(2) cdr(cons(a:, Z))~Z 

(3) cons(car(^), cdr(Z))~Z 

(4) f{b):^b 

(5) /(/(5))~car(cdr(cons(/(5), cons(5, d)))) 

The partial hierarchic superposition calculus deduces: 

( 6 ) X 9 ^ fif{b)) y f{b) W z ^ by X ^ car(cdr(cons(j/, cons(«, d)))) Abstr. (5) 

(7) X 9 ^ fif{b)) y y ^ f{b) y z ^ by X ^ car(cons(2, d)) Superp. (2),( 6 ) 

( 8 ) X 9 ^ flf{b)) V 1 / 9 ^ f{b) y z gk by X gk z Superp. (1),(7) 

(9) T Constraint refutation (4),( 8 ) 

Under the assumption that To is a universal first-order theory, which ensures 
compactness, the partial hierarchic superposition calculus was proved sound and 
complete in [IT]: if a contradiction cannot be derived from NUS using this calcu¬ 
lus, then NUS has a model which is a partial algebra. Thus, if the unsatisfiability 
of iV U S' does not depend on the totality of the extension functions, the partial 
hierarchic superposition calculus can detect its inconsistency. In certain problem 
classes where partial algebras can always be made total, the calculus is complete 
also for total functions. Research on hierarchic superposition continued in [T], 
where an implementation for extensions of linear arithmetic was presented, and 
in m, where the calculus was made “more complete” in practice. 

3.3 Hierarchical Reasoning in Local Theory Extensions 

A series of papers starting with ED identified a class of theory extensions (To, T), 
called local, which admit a complete hierarchical method for checking satisfiabil- 
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ity of ground clauses, without requiring either sufficient completeness or that To 
is a universal first-order theory. The enrichment axioms in N do not have to be 
clauses: if they are, we have an extension with clauses; if N consists of formula 
of the form \/x {<P{x)\/D{x)), where ^(a;) is an arbitrary ifo-formula and D{x) 
is a if-clause, with at least one occurrence of an extension function, we have an 
extension with augmented clauses. The basic assumption that To, or a fragment 
thereof, admits a decision procedure for satisfiability clearly remains. 

As we saw throughout this survey, instantiating universally quantified vari¬ 
ables is crucial in first-order reasoning. Informally, a theory extension is local, if 
it is sufficient to consider only a finite set of instances. Let G be a set of ground 
clauses to be refuted in T, and let A^[G] denote the set of instances of the clauses 
in N where every term whose top symbol is an extension function is a ground 
term occurring in N or G. Theory T is a local extension of To, if A^[G] suffices 
to prove the T-unsatisfiability of G [ST]. Subsequent papers studied variants of 
locality, including those for extensions with augmented clauses, and for combi¬ 
nations of local theories, and proved that locality can be recognized by showing 
that certain partial algebras embed into total ones [81182150151) . 

If T is a local extension, it is possible to check the T-satisfiability of G by 
hierarchical reasoning [811821501511 . allowing the introduction of new constants 
by abstraction as in [64] . By locality, G is 'T-unsatisfiable if and only if there is 
no model of A^[G] U G whose restriction to Uq is a model of To- By abstracting 
away non-base terms, A^[G] U G is transformed into an equisatisfiable set Nq U 
Go U D, where Nq and Go are sets of ifo-clauses, and D contains the definitions 
introduced by abstraction, namely equalities of the form /(gi,... ,gn):^c, where 
/ is an extension function, gi,..., are ground terms, and c is a new constant. 
The problem is reduced to that of testing the To-satisfiability of A^o U Go U Conp, 
where Cong contains the instances of the congruence axioms for the terms in D: 


Cono = {/\ Ci ~ di => c ~ d I /(ci,..., Cn) ~ c, /(di, ...,dn)^dG D}, 


2=1 


which can be solved by a decision procedure for To or a fragment thereof. 

In the following example To is the theory of linear arithmetic over the real 
numbers, and 'T is its extension with a monotone unary function /, which is 
known to be a local extension [STj : 


Example 8. Let G be (a < & A /(a) = /(&) -I- 1). The enrichment N = {x <y ^ 
f{x) < f{y)} consists of the monotonicity axiom. In order to check whether G is 
T-satisfiable, we compute A^[G], omitting the redundant clauses c < c ^ /(c) < 
/(c) for c € {a, b}: 

Af[G] = {a<b^ f{a) < f{b), b<a^ f{b) < f{a)}. 


The application of abstraction to A^[G] U G yields A^o U Go U D, where: 

Nq = {a < 6 => oi < 6 i, b < a bi < oi}, Go = {a < 5, ai ~ 5i -I- 1}, 
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D = {ai ~ /(a), bi ~ /(&)}, and oi and &i are new constants. Thus, Cono 
is {a ~ 6 =J> ai ~ &i}. A decision procedure for linear arithmetic applied to 
A^o U Go U Cono detects unsatisfiability. 

3.4 Beyond SMT: Satisfiability Modulo Assignment and MCsat 

Like SGGS generalizes conflict-driven clause learning (GDCL) to first-order logic 
and Herbrand interpretations, the Model-Constructing satisfiability calculus, or 
MCsat for short, generalizes CDGL to decidable fragments of first-order theories 
and their models [35155] . 

Recall that in DPLL-CDGL the trail that represents the candidate partial 
model contains only propositional literals; the inference mechanism that explains 
conflicts is propositional resolution; and learnt clauses are made of input atoms. 
These three characteristics are true also of the DPLL(7”) paradigm for SMT- 
solvers [7], where an abstraction function maps finitely many input first-order 
ground atoms to finitely many propositional atoms. In this way, the method 
bridges the gap between the first-order language of the theory T and the propo¬ 
sitional language of the DPLL-GDCL core solver. In DPLL(7”), also T-lemmas 
are made of input atoms, and the guarantee that no new atoms are generated is 
a key ingredient of the proof of termination of the method in [65] . 

Also when T is a union of theories T = the language of atoms 

remains finite. The standard method to combine satisfiability procedures for 
theories 7i, ■ ■. ,Tn to get a satisfiability procedure for their union is equality 
sharing [64] . better known as Nelson-Oppen scheme, even if equality sharing 
was the original name given by Greg Nelson, as reconstructed in [53]. Indeed, 
a key feature of equality sharing is that the combined procedures only need 
to share equalities between constant symbols. These equalities are mapped by 
the abstraction function to proxy variables, that is, propositional variables that 
stand for the equalities. As there are finitely many constant symbols, there are 
also finitely many proxy variables. 

MGsat generalizes both model representation and inference mechanism be¬ 
yond satisfiability modulo theories (SMT), because it is designed to decide a 
more general problem called satisfiability modulo assignment (SMA). An SMA 
problem consists of determining the satisfiability of a formula S' in a theory 'T, 
given an initial assignment / to some of the variables occuring in S, including 
both propositional variables and free first-order variables. SMT can be seen as a 
special case of SMA where I is empty. Also, since an SMT-solver builds partial 
assignments during the search for a satisfying one, an intermediate state of an 
SMT search can be viewed as an instance of SMA. A first major generalization of 
MCsat with respect to DPLL-CDGL and DPLL(T) is to allow the trail to contain 
also assignments to free first-order variables (e.g., x <— 3). Such assignments can 
be semantic decisions or semantic propagations, thus called to distinguish them 
from the Boolean decisions and Boolean propagations that yield the standard 
Boolean assignments (e.g., L ^ true). 

The answer to an SMA problem is either a model of S including the ini¬ 
tial assignment I, or “unsatisfiable” with an explanation, that is, a formula 
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S' that follows from S and is inconsistent with I. This notion of explanation 
is a generalization of the explanation of conflicts by propositional resolution 
in DPLL-CDCL. Indeed, a second major generalization of MCsat with respect 
to DPLL-CDCL and DPLL(T) is to allow the inference mechanism that ex¬ 
plains conflicts to generate new atoms, as shown in the following example in the 
quantifier-free fragment of the theory of equality: 

Example 9. Assume that S' is a conjunction of literals including {u ~ /(a), w ~ 
f{b)}, where a and b are constant symbols, / is a function symbol, and v and 
w are free variables. If the trail contains the assignments a <— a, b a, w <— 
/3i, V <— j32, where a, j5i, and P 2 denote distinct values of the appropriate sorts, 
there is a conflict. The explanation is the formula a ~ 6 /(a) ~ f{b), which 

is an instance of the substitutivity axiom, or congruence axiom, for function /. 
Note how the atoms a ~ 6 and /(a) ~ f{b) need not appear in S, and therefore 
such a lemma could not be generated in DPLL(T). 

In order to apply MCsat to a theory T, one needs to give clausal inference 
rules to explain conflicts in T. These inference rules generate clauses that may 
contain new (i.e., non-input) ground atoms in the signature of the theory. New 
atoms come from a basis, defined as the closure of the set of input atoms with 
respect to the inference rules. The proof of termination of the MCsat transition 
rules in [3S] requires that the basis be finite. The following example illustrates 
the importance of this finiteness requirement: 

Example 10. Given S' = {a; > 2, -^{x > 1) V y > I, -I- < 1 V xy > I}, 

and starting with an empty trail M = 0, a Boolean propagation puts x > 2 
in the trail. Theory propagation adds x > I, because x > 2 implies x > I 
in the theory, and x > I appears in S. A Boolean propagation over clause 
-■(x > 1) V y > 1 adds y > I, so that we have M = x > 2, x > 1, y > 1. 
If a Boolean decision guesses next x^ -I- y^ < 1 and then a semantic decision 
adds X ^ 2, we have M = x > 2, x > I, y > I, x^ -I- y^ < I, x ■(— 2 and a 
conflict, as there is no value for y such that 4 -|- y^ < 1. Learning -i(x = 2) as 
an explanation of the conflict does not work, because the procedure can then 
try X •<— 3, and hit another conflict. Clearly, we do not want to learn the infinite 
sequence -'(x = 2), -i(x = 3), -'(x = 4) — 

Similarly, also a systematic application of the inference rules to enumerate 
all atoms in a finite basis would be too inefficient. The key point is that the 
inference rules are applied only to explain conflicts and amend the current partial 
model, so that the generation of new atoms is conflict-driven. This concept is 
connected with that of interpolation (e.g., [83] for interpolation and locality, 
[23] for a survey on interpolation of ground proofs, and [24] for an approach to 
interpolation of non-ground proofs): given two inconsistent formul* A and B, a 
formula that follows from A and is inconsistent with B is an interpolant of A 
and B, if it is made only of symbols that appear in both A and B. In a theory 
E, the notions of being inconsistent and being logical consequence are relative 
to T, and the interpolant is allowed to contain theory symbols even if they are 
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not common to A and B. Since an explanation is a formula S' that follows from 
S and is inconsistent with J, an interpolant of S and / (written as a formula) is 
an explanation. We illustrate these ideas continuing Example [TUI 

Example 11. The solution is to observe that + < 1 implies —1 < x Ax < 1, 

which is inconsistent with x = 2. Note that —1 < x A x < 1 is an interpolant of 
x^ + < \ and x = 2, as x appears in both. Thus, a desirable explanation is 

(x^ + j/^ < 1) ^ X < 1, or -i(x^+j/^ < l)Vx < fin clausal form, which brings the 
procedure to update the trail to M = x > 2, x > 1 , y > 1 , x^ + < 1 , x < 1 . 

At this point, x > 2 and x < 1 cause another theory conflict, which leads the 
procedure to learn the lemma -'(x > 2) V -i(x < 1). A first step of explanation 
by resolution between -i(x^ + < 1) V x < 1 and -•(x > 2) V -•(x < 1) yields 

-■(x^ + y^ < 1) V -'(x > 2). A second step of explanation by resolution between 
-■(x^ + y^ < 1) V -'(x > 2) and x > 2 yields -'(x^ + y^ < 1), so that the trail 
is amended toM = x> 2 , x>l, y>l, “'(x^+y^<E, finally repairing the 
decision (asserting x^ + y^ < 1 ) that caused the conflictO 

In summary, MCsat is a fully model-based procedure, which lifts CDCL to 
SMT and SMA. Assignments to first-order variables and new literals are in¬ 
volved in decisions, propagations, conflict detections, and explanations, on a par 
with Boolean assignments and input literals. The theories covered in [35155] are 
the quantifier-free fragments of the theories of equality, linear arithmetic, and 
boolean values, and their combinations. MCsat is also the name of the imple¬ 
mentation of the method as described in [55] . 

4 Discussion 

We surveyed model-based reasoning methods, where inferences build or amend 
partial models, which guide in turn further inferences, balancing search with in¬ 
ference, and search for a model with search for a proof. We exemplified these con¬ 
cepts for first-order clausal reasoning, and then we lifted them, sort of speak, to 
theory reasoning. Automated reasoning has made giant strides, and state of the 
art systems are very sophisticated in working with mostly syntactic information. 
The challenge of model-based methods is to go towards a semantically-oriented 
style of reasoning, that may pay off for hard problems or new domains. 
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